Security

What is the C.I.A Triad?

- Confidentiality = Preserving authorised restrictions on information access and disclosure

- Integrity = Guarding against improper information modification or destruction, including ensuring information non-repudiation and authenticity; also making sure that the

application logic of an information system is not altered inappropriately

- Availability = Ensuring timely and reliable access to and use of information

What are the 2 concepts related to integrity?

2 A's

1. Authenticity = Property of being genuine and being able

to be verified and trusted

- Requires confidence in the validity of transmissions and

messages through verification of users and systems

2. Accountability = Security goal that generates the

requirement for actions of an entity to be traced uniquely to that entity

- Supports non-repudiation, deterrence, fault isolation,

intrusion, detection and prevention and after-action

recovery and legal action

- System must keep activity logs so that security breaches

can be traced or aid in transaction disputes

What are the 4 types of assets?

Hardware

Software

Data (including passwords)

Communication facilities and networks (LAN/WAN links, bridges, routers etc)

What are the 3 types of asset vulnerabilities and which of the C.I.A do they compromise?

1. Corrupted system - gives wrong answers/does wrong things

= Integrity compromised

2. Leaky system - unauthorised people have access

= Confidentiality compromised

3. Unavailable/slow system

= Availability compromised

What is an attack and the subclassifications of an attack?

Attack = A threat that is carried out

Classifications:

- Impact on assets

o Active attack = attempt to alter assets or affect their operation

o Passive attack = learn and make use of information - does not affects assets

- Attack origin

o Inside attack = initiated by an entity inside the security perimeter

o Outside attack = initiated by an outsider by an

unauthorised user

What is risk and countermeasure and the 4 types of countermeasure?

Risk = a measure of the extent to which an asset is

threatened by a potential circumstance or event

Countermeasure = any means taken to deal with a security threat/attack e.g. Detection, Prevention, Mitigation, Recovery

What are the 5 basic security controls?

1. Encryption

2. AAA (Access control, Authorisation, Authentication)

3. Physical Security

4. Privacy and anonymity

5. Backups, checksums (computation of a function that maps the contents of a file to a numerical value) and redundancies (computers and storage devices that operate as fallbacks in case of failure)

What is

1. Symmetric Encryption?

2. Asymmetric Encryption?

3. Digital Signature?

1. Symmetric Encryption = The same key is used to encrypt and decrypt a piece of information

2. Asymmetric Encryption = pair of keys - Private and Public

- Sender encrypts information using public key of recipient

- Recipient decrypts with its private key

3. - Sender encrypts information with her private key

- Recipient decrypts with the sender public key

How many keys are required to bidirectionally connect a system of 4 nodes using:

1. Asymmetric encryption?

2. Symmetric encryption?

1. Asymmetric (public key) = 2N = 8

2. Symmetric = (N x (N -1)) / 2 = (4 x 3) / 2

How can you distribute keys? (1 & 2) What is the potential risk (3) and how can this risk be minimised? (4)

1. Use public key to share secret key

2. Diffie-Hellman Protocol

3. Potential Man in the Middle Attack (MITM)

4. Prevent MITM by sender digitally signing the message

(requires the knowledge of the public key of the sender)

What is a Digital Certificate?

- Contains a public key and the user ID of the owner, with the whole block signed by a trusted 3rd party

- Binds a user/company identity to its public key

- Standard : X:509

What is Public Key Infrastructure (PKI)?

- The set of hardware, software, people, processes, policies and procedures

- Need to create, manage, store, distribute, and revoke digital certificates based on asymmetric cryptography

- Enables secures, convenient and efficient acquisition of public keys

What do the Certificate Authority (CA) do?

- Responsible for issuing, revoking and distributing public key certificates (trusted 3rd party)

- Certificates signed with a CA's private key (important to protect)

What does the Registration Authority (RA) do?

Performs functions such as identification and authentication of certificate applicants etc. but does not issue certificates directly

What are PKI Repositories?

- Means of storing and distributing certificates and certificate revocation lists (CRLs) and managing updates to certificates

- Allow relying parties to retrieve certificates and CRLs

How are certificates issued and used?

Issuance =

subject generates Public - Private Key Pair,

RA verifies subject information,

CA issues the certificate

Usage = relying party wants to verify a signature =

fetch certificate,

fetch certificate revocation list (CRL),

check if the certificate is expired,

check the certificate against CRL (valid or expired),

check the signature using the certificate

Why might certificates be revoked and where are revoked certificates stored?

- Reasons = expiration, compromised private key, HR reason,

company changes name/physical address/DNS

- Certificate Revocation List (CRL) = published by the CA in the PKI repository but also sent to any relying party who is subscribed to it

- Issues with CRL = not distributed frequently enough to be effective help, expensive to distribute, vulnerable to DoS attacks

What is X.509 and X.509 certificate revocation list

1. X.509 = Format for public-key certificates

Issuer: CA, Subject: Public Key Owner, Signature: Hash of the entire block signed by the CA's private key

2. X.509 Certificate Revocation list = physical or digital (Online Certificate Status Protocol (OCSP) - query the CA as to whether a specific certificate is valid)

What is WiFi and how does it work?

1. Wireless Networking Technology

2. Has Access point (AP) that connects to the wired network

AP transmits radio signals in a specific frequency range

Client devices associate with the AP and receive these

signals

AP name is the Service Set Identifier (SSID), used to identify a network

Ethernet vs WiFi

WiFi = wireless (radio waves), mobility, shared

Ethernet = wired, stable, lower latency, more consistent bandwidth and reliability

What does an AP do and how many AP can 1 network be made of?

- AP and clients broadcast a signal but only pay attention to traffic intended for them

- AP acts as a hub (sending info between wireless devices) and a bridge (converts signals between wired and wireless)

- 1 network can be made up of many AP

What frequency are used for WiFi and what activities are they used for?

2.4GHz = slow speed, long range, high interference, large areas or with walls

5 GHz = fast speed, short range, moderate interference, high-speed and short range requirements

6 GHz = very fast speed, shortest range, low interference, dense environments and low latency

What is WiFi performance measured by?

- throughput (actual data rate)

- latency

- jitter (delay variation)

- packet loss

- signal quality

- environmental and network conditions

What factors affect WiFi performance?

- signal strength

- interference

- network congestion

What are challenges of WiFi including hidden node?

- Relies on shared wireless communication channels

- Hidden node issues (devices can't always sense each others transmissions but are communicating with the same AP - collisions)

- Half-duplex (devices can't transmit and receive data at the same time)

- Variable latency due to contention and interference

Solution to hidden node issue

WiFi can use Request to Send/ Clear to Send (RTS/CTS).

Device sends RTS and AP sends CTS if channel is free

What is an exposed node?

A situation where a device incorrectly assumes the channel is busy and unnecessarily delays transmission

What is CSMA/CA and CSMA/CD?

= Carrier Sense Multiple Access with Collision Avoidance

Medium access control mechanism to coordinate how multiple devices share the same wireless channel

Wired networks = CSMA/CD (collision detection): listens to channel, transmits and if collision detected, it stops, waits and re-transmits

Wireless networks = CSMA/CA (can't always detect collisions so CD doesn't work): listen to channel (Carrier sense) and waits for it to be idle before transmitting, RTS and CTS, uses ACKs to confirm receipt

What are the 2 functions and 4 means of user authentication?

2 functions:

- Identification (ID)

- Verification (Password)

4 means:

- (Password) Something you know e.g. PIN

- (Token) Something you possess e.g. smart card

- (Biometric) Something you are e.g. fingerprint, face ID or Something you do e.g. voice, signature

- MFA

1. What are the risks of remote authentication?

2. What can be done to minimize the risk?

1. adversary may eavesdrop the authentication

process, steal the authenticator or hijack the process ultimately to gain access to the target system

2. Challenge-response generally used (send

challenge value, receive back the hash (challenge + secret), ensure correct answer)

1. What are some methods of password cracking?

2. What are some methods of minimizing this risk?

1. - Brute force = exhaustive search

(mod(symbols)^length)

- Intelligent search e.g. passwords associated with the user, words in a dictionary, popular passwords

2. - Password policies e.g. length, format

- Machine-generated passwords

- Changing passwords

- Lockout mechanics

- Throttling (time delay after consecutive failed

login attempts)

- Protective monitoring (monitor unusual usage)

What form of the password will an attacker usually have and how do they try to crack it?

Hash rather than actual password. Use rainbow table as good tradeoff between space and time

What is password salting and the benefits?

1. Add a random salt and append/prepend to the

password

2. Compute the hash of the password and the salt

3. Store the hash of the salted password and the

salt

Benefits = prevents duplicate passwords being

visible in the password file, increases difficulty of offline dictionary attacks

What is Access Control?

Defines authorisation rights, set policies and

protect against violations of confidentiality,

integrity and availability

What is DAC and its issues?

Discretionary Access Control (DAC) =

identity-based controls, owner sets subject

permissions to objects.

Issues = flexible but open to mistakes/abuse,

complex to manage, permission change regularly as objects and subjects change frequently

What is MAC?

Mandatory Access Control (MAC) = classification of subjects and objects by security level,

e.g. military (access rights cannot be transferred), more secure than DAC

What is the difference between a model and a policy

Policy defines what is allowed and a Model provides a structured way to define that allowance

What are subjects, objects and access rights?

- Subject = entity capable of accessing objects or

a process that represents a user or application

that actually gains access to an object,

3 classes = owner, group and world

- Object = resource to which access is controlled

or an entity used to contain/retrieve information

- Access right = the way in which a subject may

access an object (read, write, execute, delete,

create and search)

What are the 4 different types of WiFi attacks and how do they work?

1. Eavesdropping = unauthorised interception of

wireless network traffic by an attacker who listens to the communication between devices -

Attacker uses a wireless card in monitor mode

and a packet sniffing tool e.g. Wireshark to

capture nearby WiFi traffic. Attacker will analyse packets for information

2. Man in the Middle = attacker secretly intercepts and can modify communication between 2 parties without their knowledge

3. Deauthentication attack = forces WiFi devices to

disconnect from a network through sending fake

deauthentication frames to the victim or access

point

achieves: denial of service, forces users to

reconnect (potential for other attacks), evil twin

attack

4. Evil twin attack = attacker sets up a fake WiFi

access point that impersonates a legitimate

network

What are the 4 WiFi security mechanisms over time?

1. WEP = Wired Equivalent Privacy

encryption method: RC4 (stream cipher to encrypt data)

key management: static (PSK)

encryption key: 64/128 bits

security: very low

2. WPA = WiFi Protected Access

encryption method: TIKP (temporary key derived from PSK using TKIP) and RC4

key management: dynamic - PSK

encryption key: 128 bits

security: low

3. WPA2 = WiFi Protected Access II

encryption method: AES (with CCMP (Counter Mode with Cipher Block Chaining

Message Authentication Code Protocol) - ensures integrity, confidentiality, authentication,

replay protection

key management: dynamic - PSK

encryption key: 128 bits

insecurities = attackers forced device to reinstall

an already used key - fixed by software update

security: high (patched ver)

4. WPA3 = WiFi Protected Access 3

encryption method: AES

key management: improved dynamic - SAE (more secure initial key exchange and forward

secrecy)

encryption key: 128/192 bits

security: high

What is WPS and is it recommended?

WPS (WiFi Protected Setup) = intended to make it easier to connect to a WPA-protected network - recommended to disable as easy to brute force

What is IPsec and what does it prevent?

Internet Protocol Security (IPsec)

Secure communications over IP networks by

providing encryption (confidentiality),

authentication and data integrity. Prevents

eavesdropping, data alterations & impersonation

How does IPsec work?

2 modes:

1. Transport mode - only payload (data)

encrypted and authenticated with original IP

header remaining intact and visible

2. Tunnel mode - entire IP packet including

header encrypted and authenticated

What are the 3 main steps to IPsec?

1. Internet Key Exchange (IKE) - securely

establishes authentication and key exchange

between two devices, creating Security

Associations (SAs) to enable encrypted

communication

2. Authentication Header (AH) attaches a

cryptographic hash built from a shared secret key and hash function to the packet

3. Encapsulation Security Payload (ESP) - encapsulates the original data within a secure

header and encrypts it (ie AES)

What are the downsides to IPsec?

- Performance overheads

- Complex setup and configuration

- Potential incompatibility issues

1. Why is DNSSEC needed?

2. Why does it work?

3. What are the downsides?

1. DNS provides no authenticity or integrity and

can lead to DNS spoofing & DNS cache poisoning

2. Provides authenticity, data integrity,

nonexistence proof

3. No confidentiality, Performance overhead

How does DNSSEC work?

- Signs DNS replies at each step of the way

- Public key cryptography to digitally sign DNS

records

- Adds new record types to hold certificates

- Resource Record Signature (RRSIG) - digital signature for DNS record set

- DNSKEY - public key used for verification

(Zone Signing Key = ZSK - signs DNS records in a zone

Key Signing Key = KSK - signs the DNSKEY records themselves)

What are examples of DAC, MAC, RBAC and ABAC?

1. DAC = social medias, linux permissions

2. MAC = military

3. RBAC = healthcare systems, corporate IT systems

4. ABAC = streaming sites with age restrictions, financial transaction systems

What is a "role" in RBAC?

1. "Role" = abstract representation of jobs/

functions so more manageable policies, less user administration, easier to audit, higher flexibility

and scalability.

2. Roles are hierarchical and can inherit from

each other but can also have constraints - simplifies permission management, reduces

redundancy and increases policy scalability

What is RBAC?

access based on user's role in organisation with

each role associated with certain permissions

What are RBAC constraints and the types?

1. Constraint = defined relationship among roles

or a condition related to roles

2. Types:

a) Mutually exclusive roles -

- Static separation of duty (SSoD) = user can only

have one role

- Dynamic separation of duty (DSoD) = user may

have 2 roles but cannot activate them both in one session e.g. switching teams

- Any permission can be granted to only one role

b) Temporal (time) constraints

c) Cardinality (maximum number with respect to

roles)

d) Prerequisite roles

What is ABAC and an attribute?

ABAC = access control by evaluating rules

against the attributes (characteristics that define

specific aspects of entities (subject and object),

operations and the environment relevant to a

request

Attribute:

Subject e.g. identity/characteristics

Object e.g. from metadata - title, date, author etc.

Environment conditions eg operational, technical, situational or context e.g. network security level, current date & time and/or requested operations

What are the advantages and disadvantages of ABAC?

Advantages = dynamic, contextual, fine-grained

Disadvantages = more complex than other modes, relies on trust, encroaches on privacy

What to do when multiple rules can apply to access a request in ABAC?

Deny-overrides:

ie if any rule denies, request overall denied

Permit overrides:

ie if any rule permits, request overall permitted

First-applicable:

ie evaluate rules in order and follow what first rule says

Only-One Applicable:

if 0 or more than 1 rule apply, indeterminate or deny the request (for mutually exclusive policy

domains)

What are the 4 parts of Solove's Taxonomy of Privacy and examples of each?

1. Information Collection - surveillance,

interrogation, aggregation (combination of

various pieces of data about a person)

2. Information Processing - identification,

insecurity, secondary use, exclusion

3. Information Dissemination - confidentiality

breaches, exposure, appropriation, distortion,

disclosure, increased accessibility, blackmail

4. Invasions - intrusion, decisional interference

What are the 3 research paradigms of Privacy Enhancing Technologies (PETs)?

1. Privacy as Confidentiality - data anonymisation

2. Privacy as Control - anonymous credentials

3. Privacy as Practice - feedback and awareness tools

What is a Proxy?

A->P->B,

P knows A and B communicated and what they

sent each other, A connected to P and B knows P connected to A

Proxy vs VPN?

- Similarities = both hide IP addresses,

connections between Proxy/VPN endpoints may not be encrypted

- Differences = VPN encrypts with a VPN node,

Proxy is not designed to encrypt communication, can form a VPN with multiple VPN nodes in it (Private network)

1. What are:

a. Mixes

b. Onion Encryption

c. Perfect Forward Secrecy (PFS)

2. How does a destination respond when using a mix network?

3. How can you have 2 way anonymity

1a. Mixes = a chain of proxy servers to create

hard-to-trace communications

1b. Layers of encryption (onion encryption)

1c. Perfect Forward Secrecy (PFS) reduces the

risk to data even some keys are compromised

2. Destination responds in mix network as the

sender places keys at each mix along the path

& data is re-encrypted as it travels back

3. Two way anonymity is provided in Tor for

hidden services

What are cybercriminals:

o interested in?

o typical attacks?

o attack vectors?

o Interested in illegal profit

o Typical attacks = money theft, personal document ransom, data breaches, distributed denial of

service (DDoS), cryptojacking

o Generally advanced skills and attack vectors

What are nation states:

o interested in?

o typical attacks?

o attack vectors?

o Interested in intelligence, sabotage activities/

critical infrastructures, subversion (e.g. political 

election) - overall cyberwarfare activities

o Typical attacks = influence campaigns, data 

breaches, DDoS, Advanced Persistence Threats 

(APT - long term pattern of targeted, 

sophisticated attacks)

o Cyberwarfare attractive as cost effective, no 

casualties, difficult to connect, anonymity, 

plausible deniability, cyber deterrence

o More advanced attack vectors than 

cybercriminals

What are hackivists:

o interested in?

o typical attacks?

o attack vectors?

o Motivated by political, religious or social

ideologies

o Typical attacks: web defacements, data

breaches, DDoS

o Example: Anonymous with members known as

Anons

o Less advanced attack vectors than

cybercriminals

What are: 1. Insiders, 2. Script Kiddies/Noobs

o interested in?

o typical attacks?

o attack vectors?

Insiders:

o Legitimate access to valuable resources

o ONLY intentional attacks counted

Script Kiddies/Noobs:

o Less skilled hackers, motivated by curiousity,

challenge or desire to progress as a hacker

What is the difference between a attack instigator and perpetrator?

An insider can be bribed by a cyber criminal gang or nation state

Instigator = employer e.g. cyber criminal gang,

Perpetrator = employee e.g. insider

What are the steps to the Lockheed Martin Cyber Kill Chain?

1. Reconnaissance - target research and selection

e.g. gathering of emails

2. Weaponization

e.g. phishing email, remote access trojan (RAT)

3. Delivery of payload to target

e.g. email attachment or USB stick

4. Exploitation - execution of payload

e.g. user deception, exploit of known

vulnerabilities of the target

5. Installation - ensure payload persistence with

the target e.g. installing multiple copies on

different machines

6. Command and Control (C2) - establish

communication channel with an external C2

server

e.g. ciphered connection over HTTPS

7. Actions on Objectives e.g. data exfiltration,

disruption

What are Cyber Attack Life Cycle Model's and What are they

used for?

1. Empirical models to represent the anatomy of

cyber attacks

2. Provide a framework to better understand

cyber attacks to figure out why past attacks

succeeded, identify convenient & effective ways

to protect assets and forecast potential next

steps of a possibly ongoing attack

What are the 5 steps for Multi-Step Cyber Attacks?

1. Attackers -> Web

= Attackers scan the web for vulnerable servers

2. Web -> Dispute resolution documents

containing personally identifiable information

= Attackers finds a vulnerability within the Equifax dispute portal servers

3. Dispute resolution documents containing

personally identifiable information -> Databases

= Attackers locate additional servers and login

credentials

4. Databases -> Data extraction

= Attackers are able to remain hidden while

maintaining presence

5. Attackers slowly extract data from 51

databases in small increments to help avoid

detection

Delivery vs Exploitation vs Installation?

o Delivery = "how" malicious code gets to target

o Exploitation = "trigger" - the moment the code actually runs by taking

advantage of a software bug or human error

o Installation = "persistence" - attacker remains in system even if the computer

restarts or original exploit is closed

What is the Hacktivism Cyber Attack Life Cycle?

Hacktivism:

1. Define target

2. Find and organise accomplices

3. Build or acquire tools

4. Research target infrastructure/ employees

5. Test for detection

6. Deployment

7. Initial intrusion

8. Outbound connection initiated

9. Expand access and obtain credentials

10. Strengthen foothold

11. Exfiltrate data

12. Cover tracks and remain undetected

What is the Mandiant Cyber Attack Life Cycle?

1. Initial recon

2. Initial compromise

3. Establish foothold

4. Escalate priviledges

5. Internal recon

6. Move Laterally

7. Maintain presence

8. Repeat from 4-7

9. Complete mission

What is Social Engineering?

Techniques to psychologically manipulate people into performing action or divulging specific

information

Explain the Anatomy of Social Engineering Attacks (7)

Social engineer = individual of group

Target = individual or organisation

Goal = financial gain, unauthorised access, 

service disruption

Medium = email, in person, telephone, SMS, 

paper mail, storage media, webpage, pamphlets

Technique = Phising, Pretexting, Baiting, 

Quid Pro Quo

Compliance principle = Friendship, commitment, 

scarcity, reciprocity, social validation, authority

Communication = direct (bi or unidirectional), 

indirect

What are the 4 Social Engineering Techniques and examples of each?

Information gathering e.g. online company websites, social media, dumpster diving, 

shoulder surfing

Electronic Techniques = Phishing, Vishing 

(voice phishing), Smishing (text phishing)

Physical Techniques = tailgaiting, piggybacking 

(e.g. holding the door), physical impersonation

Lure Techniques = Baiting (e.g. prize link), 

quid pro quo

What are the ways to achieve money theft?

1. From end users - steal credit card details

e.g. man-in-browser attack and capturing

credentials using keylogging or form grabbing

2. From enterprises - business email compromise

(BEC) scams (CEO fraud - money sent by collegue)

3. From Financial Institutions - bank heist =

possibility to steal millions with a single attack

4. From cyptocurrency wallets/exchanges - wallets/exchanges hacked

How is Personal Document Ransom carried out?

o Through Ransomware

1. Open attachment that either prompts users to

execute a macro or launches powershell to

download and execute the final payload

2. Ransomware begins encrypting specific types

of files which will be decrypted only by paying a

ransom

What is Cryptojacking?

Malicious cryptomining

Data breaches

1. What types of data might be stolen?

2. What happens to stolen data?

1. names, emails, phone numbers, encrypted/

unecrypted security Q&A, DOB, hashed password

2. Public disclosure, Private intelligence,

Sold on the black market

Distributed Denial of Service

1. What is it's Aim?

2. How is it accomplished?

3. When is it "Distributed"?

1. Aim - making service unavailable to its

intended users

2. How it's accomplished - overloading its resources by service request

flooding

IoT devices used to form Botnet - controlled by C&C infrastructure

3. DDoS = when flooding traffic is generated by

many different sources

What are influence campaigns?

o Series of cyber attacks and releases of

information aimed to influence thinking and

choices of a large number of persons

o Bots on social media platforms

1. What are web defacements and who are they done by?

2. What are supply chain attacks?

1. Change the appearance of the website - Mostly by hacktivists

2. Adversary compromises the weakest link the

supply chain and reaches the target from there

What is the difference between the Exploitation and Installation phase of the Kill Chain?

Exploitation = actions to gain entry to the network/execution of 

the payload

Installation = actions to gain control over the network/ 

persistence within the network